Identifying Malware using Machine Learning

2024 International Conference on Advances in Computing, Communication and Applied Informatics (ACCAI) | 979-8-3503-8944-9/24/$31.00 ©2024 IEEE | DOI: 10.1109/ACCAI61061.2024.10602181

Ensemble Model
Saketh Bandlapalli1 , S Nikhil Janarthan 2 , S Ragul3 , G.Sujatha4*

Department of Networking and Communications, School of Computing, College of Engineering and Technology, SRM Institute of
Science and Technology, Kattankulathur, Chennai, India
E-mail: sujathag@srmist.edu.in
*Corresponding author: G.Sujatha

Abstract- Cybersecurity researchers continue to face the to spot patterns that indicate harmful activity. There are a
formidable problem of malware detection, which calls for number of benefits to using ML for malware detection,
cutting-edge methods of threat identification and mitigation. such as the fact that it can scale, adapt to new threats, and
A hybrid method to malware detection using machine automate the examination of massive datasets. Class
learning techniques is presented in this study. Logistic
Regression, Random Forest, K Nearest Neighbours (KNN),
imbalance, feature selection, and the need for strong
Support Vector Machine (SVM), Gaussian Naive Bayes assessment procedures are some of the obstacles that ML-
(NB), and Linear Discriminant Analysis (LDA) are some of based detection systems encounter, despite their
the classifiers focused on in the research. To improve the promise.[12]
performance of the model, data preparation methods like
Random Over-Sampling take into account the imbalance To overcome these obstacles, this study proposes a hybrid
between classes. A dataset consisting of characteristics method of malware detection that makes use of many ML
derived from malware samples is used to train and assess algorithms, each with its own set of advantages. Improved
each classifier. The accuracy, precision, recall, and F1-score detection accuracy, resilience, and generalizability across
are some of the evaluation measures used to measure the
performance of the model. To further enhance overall
malware kinds are the goals of the suggested strategy,
detection accuracy, ensemble learning approaches like the which makes use of the complementary nature of varied
Voting Classifier are used to integrate the predictions of classifiers. Logistic Regression, Random Forest, K Nearest
separate models. With ensemble models outperforming Neighbours (KNN), Support Vector Machine (SVM),
individual classifiers, the findings show that the hybrid Gaussian Naive Bayes (NB), and Linear Discriminant
strategy is successful. Insights on the effectiveness of hybrid Analysis (LDA) are some of the classifiers that are the main
models for cybersecurity applications are offered by this focus of the research. They are all meant to be integrated
study, which adds to improving malware detection into a single framework.[6]
algorithms.

Keywords: Malware detection, Machine learning, Hybrid

Building and testing a hybrid method for malware
approach, Ensemble learning, Logistic Regression, Random detection utilising ML approaches is the main focus of this
Forest, K Nearest Neighbours, Support Vector Machine, research. We want to evaluate performance measures,
Gaussian Naive Bayes, Linear Discriminant Analysis, Data conduct experiments with data pre-treatment approaches,
pre-processing. compare hybrid models to individual classifiers,
implement ensemble learning, and analyse the efficacy of
I. INTRODUCTION individual classifiers[3]. By accomplishing these goals, the
study aims to improve malware detection approaches by
Security experts throughout the globe face formidable making them more accurate, resilient, and generalizable
obstacles due to the ever-increasing complexity and speed across different forms of malware.
of malware. A wide variety of threats may penetrate
systems, jeopardise data integrity, and disrupt operations; Collecting data from various sources to construct a
these are all examples of malicious software, or malware. representative dataset of malware samples is the first of
Malware of all kinds, from simple viruses and worms to many critical processes in the technique. To fix class
advanced persistent threats (APTs) and ransomware, is imbalance and make the model work better, pre-processing
always spreading as hackers develop new strategies. methods like Random Over-Sampling are used. Accuracy,
Therefore, protecting digital assets and keeping precision, recall, and F1-score are some of the
information systems secure requires strong mitigation and comprehensive metrics used to assess ML classifiers once
detection measures. they have been trained on the pre-processed dataset. Next,
predictions are combined to generate hybrid models using
Recent years have seen the rise of machine learning (ML) ensemble learning approaches, one of which is the Voting
as a potential method for malware detection. This method Classifier. It is possible to evaluate the suggested method's
makes use of algorithms that can learn from data in order effectiveness in malware detection by comparing the

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on November 05,2024 at 11:40:17 UTC from IEEE Xplore. Restrictions apply.
performance of hybrid models with that of separate  Mahindru and Sangal [7] conducted an empirical
classifiers. analysis on the effectiveness of malware detection
models developed using ensemble methods. They
By improving ML-based malware detection algorithms, evaluated the performance of different ensemble
this study is expected to make substantial advances to the techniques and identified the most efficient methods
cybersecurity arena. When compared to using separate for detecting Androidmalware reliably.
classifiers, the suggested hybrid method provides more  Bhat et al. [8] proposed a system call-based Android
robust detection capabilities. Cybersecurity practitioners malware detection approach using homogeneous and
may benefit from a better understanding of classifier heterogeneous ensemble machine learning. The
strengths and limits thanks to the creation of an exhaustive method analyses system call sequences to detect
assessment methodology. Research has real-world malicious behaviour in Android apps, achieving high
applications, such as practical insights for building and accuracy in malware detection.
implementing malware detection systems that work in real-  Salah et al. [9] developed a lightweight Android
world circumstances. This will help to strengthen defences malware classifier using novel feature selection
against changing threats and protect important digital methods. The approach focuses on identifying the
assets. In the end, we hope that this study will help us better most relevant features that contribute to malware
understand malware detection using ML and that it will classification, optimising the efficiency and
lead to more trustworthy cybersecurity solutions. accuracy of the detection process.
 Alghazzawi et al. [10] proposed an efficient
II.RELATED WORKS detection method for DDoS attacks using a hybrid
deep learning model with improved feature selection.
 Mahindru and Sangal [1] developed the MLDroid Although not directly related to Android malware,
framework for Android malware detection using this approach demonstrates the effectiveness of
machine learning techniques. The framework hybrid deep learning models in detecting malicious
leverages various machine learning algorithms to activities in network-based attacks .
detect and classify Android malware, enabling  Akash Dixit, Sukhwinder Singh. [11], Malware
effective security measures for mobile devices. Detection Using Random Forest 14th International
 Taha and Malebary [2] proposed a hybrid Conference on Computing Communication and
classification approach for Android malware based Networking Technologies (ICCCNT).
on fuzzy clustering and the gradient boosting  Burnap P, et al. [12] Malware classification using
machine. The method combines fuzzy clustering for self organising feature maps and machine activity
feature representation and gradient boosting machine data.
for classification, improving the accuracy of  Olaniyi Ayeni, Otasowie Owolafe. [13] A
malware detection. Supervised Machine Learning Algorithm for
 Bashir et al. [3] introduced a hybrid machine Detecting Malware (WCICSS).
learning model for malware analysis in Android  Vinay Kumar, Swati Vashisht, Gitika Sharma,
apps. They combined multiple machine learning Shivani Sharma, Sakshi Kaur, Prabhat Singh.[14]
algorithms to create an effective model for detecting Malware Detection Using Machine Learning, 2021
malicious behaviour and identifying potential International Conference on Technological
security risks in Android applications. Advancements and Innovations (ICTAI)
 Şahın et al. [4] developed the LinRegDroid system,  Anand Sharma, Sunita Choudhary. Malware
which utilises multiple linear regression models to Detection & Classification using Machine Learning,
detect Android malware. By analysing various [15] International Conference on Emerging Trends
features extracted from apps, LinRegDroid provides in Communication, Control and Computing
accurate malwaredetection and classification. (ICONC3)
 Ding et al. [5] proposed a hybrid analysis-based
approach for Android malware family classification. Please note that the content provided above is a summary
The method integrates static analysis, dynamic of the literature surveys without author citations.
analysis, and machine learning techniques to
accurately classify malware into different families, III.EXISTING SYSTEM
improving the effectiveness of malware detection.
 Zhu et al. [6] presented a hybrid deep network The limitations of the present method for identifying
framework for Android malware detection. The malware utilizing hybrid algorithms combining random
framework combines deep neural networks with forest and logistic regression highlight the need for
other machine learning algorithms to improve the innovation and improvement in malware detection. One
accuracy and efficiency of malware detection in important concern is the high reliance on the accuracy of
mobile devices. characteristics retrieved from malware samples. Malware

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on November 05,2024 at 11:40:17 UTC from IEEE Xplore. Restrictions apply.
is meant to be elusive, frequently adopting complex ways IV.PROPOSED SYSTEM
to avoid detection. If the classification characteristics are
incomplete or fail to capture the intricacies of malware As previously mentioned, the application of a hybrid
activity, the system is vulnerable to misclassification and method in malware detection offers a strong defense
false positives. This can lead to serious repercussions, such against the constantly changing field of cyber threats. The
as security breaches and system compromises. solution boosts resilience against different kinds of
Furthermore, the computational cost of the hybrid malware and improves detection accuracy by utilizing
algorithm technique raises considerable concerns. Random numerous machine learning methods. With the help of the
forest and logistic regression techniques are naturally distinct advantages that each classifier offers, the system is
resource-intensive, requiring significant computer power able to recognize a wide range of patterns and traits that
and memory. Integrating these techniques increases the point to harmful activity. Strong algorithms with unique
computing overhead, making it difficult to deploy the approaches to comprehending and categorizing data
system in real-time scenarios or scale it to handle massive include Random Forest, Support Vector Machine (SVM),
amounts of data efficiently. As a result, the system might Logistic Regression, and Linear Discriminant Analysis
struggle to keep up with the evolving world of cyber (LDA). For example, Random Forest is particularly good
threats, where timely detection and reaction are key. A at managing high-dimensional data and intricate feature
significant disadvantage of the system is its incapacity to interactions, whereas Logistic Regression is very good at
efficiently manage malware that is new or evolving. handling linear correlations. The system leverages the
Conventional machine-learning techniques are less complimentary characteristics of these classifiers to create
effective at recognizing new or undiscovered malware a more extensive and precise detection mechanism by
variants since they rely on historical data and merging them. Additionally, correcting class imbalance via
predetermined patterns for categorization. This lack of methods like Random Over-Sampling guarantees that the
flexibility makes the system less effective at identifying model is trained on a representative dataset, avoiding
changing threats, making firms more susceptible to new biases in favour of the majority class and enhancing the
types of cyberattacks. To overcome these obstacles, a model's efficacious detection of minority class samples.
diverse strategy is needed. First, in order to accurately The assessment measures that are employed, such as the
capture a wider range of malware characteristics, efforts F1-score, recall, accuracy, and precision, offer a
should be directed toward improving feature extraction comprehensive perspective of the system's functioning by
approaches. This could entail using cutting-edge taking into consideration both false positives and false
techniques like ensemble learning or deep learning to negatives. This helps to fine-tune parameters for best
extract more intricate information from malware samples. performance and enables a deeper knowledge of the
Furthermore, researchers ought to investigate scalable and model's usefulness. By combining predictions from
lightweight algorithms that can effectively handle massive individual classifiers, ensemble learning approaches like
amounts of data in real time without compromising the Voting Classifier further improve the system's
accuracy. Additionally, the system's capacity to recognize capabilities by reducing the danger of overfitting and
novel and unidentified malware variants can be improved boosting overall resilience. likewise, the focus on offering
by the integration of threat intelligence and anomaly helpful guidance for putting malware detection
detection approaches. Through persistent observation of technologies into practice in actual situations highlights
system behaviour and network traffic, abnormalities how applicable and pertinent the system is. The system
suggestive of malicious activity can be identified and helps to fortify cybersecurity defences against new threats
looked into immediately, improving the system's flexibility by bridging the gap between theoretical ideas and real-
and ability to respond to new threats. Enhancing the world application, eventually protecting vital assets and
system's interpretability is also essential for making infrastructures. In the final analysis, the proposed hybrid
malware behaviour analysis and comprehension easier. approach to malware detection, which makes use of the
Model explainability and feature importance analysis are advantages of several machine learning algorithms and
two techniques that can give security analysts insight into ensemble learning techniques to achieve better detection
how machine learning models make decisions. This allows accuracy and practical applicability, provides a thorough
them to pinpoint important signs of fraudulent activity and and efficient means of countering evolving cyber threats
adjust their detection tactics accordingly. In conclusion,
improving the efficacy and efficiency of malware detection
systems requires resolving the aforementioned drawbacks,
even though the current hybrid algorithm-based approach
for malware identification offers advantages.
Organizations may reduce the risks associated with
malware infections and improve their defence against
changing cyber threats by implementing a comprehensive
approach to cybersecurity and utilizing new solutions.

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on November 05,2024 at 11:40:17 UTC from IEEE Xplore. Restrictions apply.
 V.SYSTEM ARCHITECTURE Similar to the Logistic Regression module, performance
metrics such as accuracy, precision, recall, and F1-score
are computed for training and testing data. Additionally,
feature importance analysis is conducted to understand
which features contribute most significantly to malware
detection. Visualisations aid in comprehending the
classifier's behaviour and performance nuances.

4. Ensemble Learning with Voting Classifier -

Random Forest and Logistic Regression:
Ensemble learning techniques, particularly Voting
Classifier, are employed to merge predictions from
Random Forest and Logistic Regression classifiers. This
hybrid approach aims to leverage the strengths of
individual classifiers for improved malware detection.
Performance evaluation involves comparing the accuracy
of the ensemble model with those of its constituent
classifiers. Visualisations, such as bar plots, provide a
Fig. 1. System Architecture comparative analysis of individual and hybrid model
accuracies.
VI.METHODOLOGY
5. Ensemble Learning with Voting Classifier - K
Malware detection, a vital part of cybersecurity, is based Nearest Neighbours (KNN) and Support Vector
on advanced algorithms and ensemble learning approaches. Machine (SVM):
This complete system includes data collection, pre- In this module, KNN and SVM classifiers are trained
processing, and training of a variety of classifiers, independently on the pre-processed dataset. The Voting
including Logistic Regression, Random Forest, KNN, Classifier is then applied to combine their predictions,
SVM, Gaussian Naive Bayes, and LDA. Ensemble aiming to enhance malware detection accuracy through
techniques, such as the Voting Classifier, are used to ensemble learning. Performance evaluation includes
combine predictions with the goal of increasing malware computing accuracy scores for both individual models
detection accuracy. and the hybrid model. Comparative analysis helps discern
the efficacy of the ensemble approach in comparison to
Following Steps are involved: individual classifiers.
1. Data Collection and Pre-processing Module:
Malware detection begins with collecting a diverse dataset 6. Ensemble Learning with Voting Classifier -
comprising malware samples from various sources. This Gaussian Naive Bayes and Linear Discriminant
dataset encompasses features extracted through static and Analysis (LDA):
dynamic analysis, behavioural attributes, and metadata. To Gaussian Naive Bayes and LDA classifiers are trained
address class imbalance, prevalent in malware datasets, separately on the pre-processed dataset to identify malware
pre-processing techniques like Random Over-Sampling are instances. The Voting Classifier is subsequently utilised to
applied. These techniques ensure a balanced distribution of merge their predictions, forming a hybrid model.
malware and benign samples, fostering a more Performance evaluation entails calculating accuracy scores
representative dataset for training classifiers. for individual classifiers and the hybrid model. Results
are compared to gauge the effectiveness of ensemble
2. Logistic Regression Module: learningin malware detection.
In this module, the Logistic Regression classifier is trained
on the pre-processed dataset to discern malware instances. VII.RESULT AND DISCUSSION
Performance evaluation involves computing essential
metrics such as accuracy, precision, recall, and F1-score for The dataset used in this research project includes 15,000
both training and testing data. The evaluation also entails data entries, each of which includes 200 unique attributes
generating visualisations like confusion matrices, that are used to detect malware. Operations like
precision-recall curves, and ROC curves to provide CHANGE_WIFI_STATE, READ_FRAME_BUFFER,
insights into the classifier's discriminatory capabilities and ACCESS_SURFACE_FLINGER,RUNTIME.LOADLIB
overall performance. RARY and BROADCAST_SMS are a few of the
noteworthy features. These characteristics cover a wide
3. Random Forest Module: range of actions that are frequently connected to malicious
The Random Forest classifier is trained using the pre- software activity.
processed dataset to detect malware patterns effectively.

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on November 05,2024 at 11:40:17 UTC from IEEE Xplore. Restrictions apply.
TABLE 1: Performance Metrics of Logistic regressionand
Random Forest
Logistic Random Hybrid (RF
Metric
Regression Forest & LR)
Precision 0.9610 0.9945 N/A
F1 Score 0.9766 0.9904 N/A
Recall 0.9927 0.9863 N/A
Accuracy 0.9825 0.9929 0.9933

TABLE 2: Performance Metrics of KNN and SVM

Hybrid (KNN
Metric KNN SVM
&SVM)
precision 0.9210 0.9754 N/A
F1 Score 0.9656 0.9854 N/A
Test Score 0.9899 0.9893 0.9899
Fig.2. Accuracy graph
TABLE 3: Performance Metrics of Naive Bayes and LDA
Naive Hybrid (NB &
Metric LDA
Bayes LDA)
Test Score 0.7178 0.9728 0.9728
precision 0.8654 0.9485 N/A
F1 Score 0.7241 0.9632 N/A

Logistic Regression, Random Forest, K Nearest

Neighbours (KNN), Support Vector Machine (SVM),
Naive Bayes, and Linear Discriminant Analysis (LDA)
were some of the machine learning models used to detect
malware in this research. With a testing accuracy score of
99.29%, Random Forest stood out as the highest performer
among these models. While tested against competing
models, Random Forest performed better in terms of
accuracy (99.45%) and recall (98.63%), suggesting that it
is resilient while making positive and negative class
predictions. Similarly, Logistic Regression performed
well, with an accuracy score of 98.25%. In addition, we Fig.3. Loss graph
looked at hybrid models to combine the best features of
many classifiers. The best testing result of 99.33% was
achieved by a hybrid strategy that combined Random
Forest and Logistic Regression. This highlights the
possibility for multiple algorithms to work together. The
significance of choosing suitable algorithms for malware
detection tasks is highlighted by the fact that models like
Naive Bayes demonstrated comparatively lower accuracy.
In this research, Random Forest stood out as the top model
for malware identification, proving its worth for
cybersecurity applications.

Fig.4.Confusion Matrix

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on November 05,2024 at 11:40:17 UTC from IEEE Xplore. Restrictions apply.
 performance is made possible by Random Forest's ability
to handle such complexity by building an ensemble of
decision trees, each trained on distinct subsets of the data.
However, logistic regression provides a sound statistical
foundation for predicting the likelihood of events, which
makes it an excellent choice for binary classification
problems such as malware identification.

REFERENCES
[1] Mahindru, A., & Sangal, A. L. (2021). MLDroid— framework
for Android malware detection using machine learning
techniques. Neural Computing and Applications, 33(10),5183-
5240.
[2] Taha, A. A., & Malebary, S. J. (2021). Hybrid classification of
Android malware based on fuzzy clustering and the gradient
Fig.5.ROC Curve boosting machine. Neural Computing and Applications,
33, 6721-6732.
[3] Bashir, S., Maqbool, F., Khan, F.H. and Abid, A.S., 2023.
VIII.CONCLUSION Hybrid Machine Learning Model for Malware Analysis in
Android Apps. Pervasive and Mobile Computing,p.101859.
[4] Sahın, Durmuş Özkan, Sedat Akleylek, and Erdal Kiliç.
In conclusion, one of the most important developments in "LinRegDroid: Detection of Android malware using multiple
cybersecurity is the combination of random forest and linear regression models-based classifiers." IEEE
logistic regression in malware detection. Random forest is Access10(2022):14246-14259.
an excellent tool for managing enormous datasets and [5] Ding, Chao, Nurbol Luktarhan, Bei Lu, and Wenhui Zhang. "A
hybrid analysis-based approach to android malware family
finding complex patterns in them, which helps the system classification." Entropy 23, no. 8 (2021): 1009.
distinguish between dangerous and benign software. In the [6] Zhu, H. J., Wang, L. M., Zhong, S., Li, Y., & Sheng, V. S.
meanwhile, the probabilistic framework of logistic (2021). A hybrid deep network framework for android malware
regression gives the classification process an extra degree detection. IEEE Transactions on Knowledge and
DataEngineering,34(12),5558-5570.
of assurance, leading to a more sophisticated [7] Mahindru, Arvind, and A. L. Sangal. "HybriDroid: an empirical
comprehension of virus activities. Through a synergistic analysis on effective malware detection models developed using
interaction that fosters an overall increase in system ensemble methods." The Journal of Supercomputing77(2021):
efficacy, this hybridization makes use of the qualities of 8209-8251.
[8] Bhat, P., Behal, S., & Dutta, K. (2023). A system call- based
both algorithms. As such, enterprises may implement this android malware detection approach with homogeneous &
solution with assurance, understanding that it provides a heterogeneous ensemble machine learning. Computers &
strong barrier against ever-changing cyberthreats. This Security, 130, 103277.
hybrid strategy is ready to grow and adapt with the times, [9] Salah, Ahmad, Eman Shalabi, and Walid Khedr. "A lightweight
android malware classifier using novel feature selection
keeping up with the rapidly changing digital world while methods." Symmetry 12, no. 5 (2020): 858.
providing consistent protection. [10] Alghazzawi, D., Bamasag, O., Ullah, H. and Asghar, M.Z.,
2021. Efficient detection of DDoS attacks using a hybrid deep
learning model with improved feature selection. Applied
IX.FUTURE WORK Sciences, 11(24), p.11634.
[11] Akash Dixit, Sukhwinder Singh. 2023 14th International
Preventing malware is still one of the biggest challenges in Conference on Computing Communication and Networking
cybersecurity as cyber threats are getting more complicated Technologies (ICCCNT)
[12] Burnap P, et al. 2020 Malware classification using self
and sophisticated every day. Consequently, to keep ahead organising feature maps and machine activity data
of harmful actors, it is essential to integrate modern [13] Olaniyi Ayeni, Otasowie Owolafe. 2021 A Supervised Machine
approaches and processes. An interesting direction for Learning Algorithm for Detecting Malware (WCICSS).
improving malware identification systems is the suggestion [14] Vinay Kumar, Swati Vashisht, Gitika Sharma, Shivani Sharma,
Sakshi Kaur, Prabhat Singh. Malware Detection Using Machine
to investigate hybrid algorithms, more especially the Learning, 2021 International Conference on Technological
combination of random forest and logistic regression Advancements and Innovations (ICTAI)
models. Large datasets with plenty of characteristics may [15] Anand Sharma, Sunita Choudhary. Malware Detection &
be handled using random forest methods, which is well- Classification using Machine Learning, 2020 International
Conference on Emerging Trends in Communication, Control
known and especially helpful when it comes to malware and Computing (ICONC3)
identification. Because malware may display a wide range
of behaviours and characteristics, from file properties to
network traffic patterns, it is necessary to analyse large
amounts of multidimensional data. Robust classification

Authorized licensed use limited to: Amrita School of Engineering. Downloaded on November 05,2024 at 11:40:17 UTC from IEEE Xplore. Restrictions apply.